The proliferation of interconnected network devices across the Internet is a hot topic of conversation in the IT world these days. Everywhere you look, you see references to the Internet of Things, or IoT, as it is called. But a higher level view also reveals a growing basic internetworking of systems and, by extension, people. With business portals and nested company hybrid cloud infrastructures, IT cybersecurity is no longer a “my shop is my shop, your shop is yours” endeavor. The infamous Target breach of 2013 is glaring proof that a business partner’s lack of cybersecurity vigilance can lead to an exposure of your own.
As the number of end points of the IoT expands exponentially, so too does the growing amount of responsibility upon good corporate citizens to lead the fight for new, evolving culture and thought leadership in the cybersecurity world. And the emergence of new and improved malware and other malicious software will only shed more light on this constantly emerging issue.
Here’s a case in point. At a recent speaking engagement to a group of IT personnel, I began by asking the room of 40 people a question:
“How many of you consider yourself cybersecurity professionals?”
Three people raised their hands. It was an appropriate response as most of the attendees were working in networking, desktop support or other “traditional” IT groups at their companies. It was interesting to gauge the response to this question because it aligned with what I would have seen 10 years ago in the same scenario. Here’s a large gathering of IT professionals in which a minority percentage was part of the security business dedicated to keeping the bad guys out behind their firewalls, advanced routing/screening and IDS detection.
After I received my three out of 40 response, I proceeded through my presentation, which was a detailed, step-by-step analysis of an actual, public record cyberbreach that is estimated to have cost one corporate entity of over $100 million. Despite how it may sound, this was not a highly technical, binary jungle of information. It was about 45 minutes of explaining the chain of human errors that affected a company and its partners. And what triggered the chain of events? A non-IT employee choosing to do something that would be against any responsibly-thinking company’s policy. Literally, it started with one click of the computer mouse.
One click.
The moral of this story, and the countless others like it, is not about misconfigured firewalls, poorly identified threat signatures, or any other similar highly technical guffaw. We live in a world now that is viscerally not like it was 10 years ago. Yet I see evidence that we still function that as if it were. Every day we connect more devices. In fact, Gartner projected that 5.5 million things were added to the Internet every day in 2016. I didn’t know anyone who had a refrigerator with a Wi-Fi or Bluetooth connection in 2006 for example.
Along with this massive avalanche of connectivity, we have the growing resolve and ambition of the cybercriminal. We sometimes hear about the so-called “superbugs” in the medical field, and I would argue that we are on the precipice of a golden age of “superbugs” in the IT world. And we are not close to inoculation. Not even close.
The recent global infestation of the “WannaCry” ransomware attack is additional proof that we are globally unprepared for the cyberwarfare ahead of us. It is not a technology issue, and it should be clear that technology is not going to save us. Technology will be a tool in the effort of the human solution to combat this issue. However, technology doesn’t click on suspicious links in unsolicited emails, nor does it design and deploy inefficient and under thought policies and governance. Technology doesn’t pick up random USB drives and plug them into their corporate machines, and technology doesn’t have password complexity standards that require five characters and one capital letter. These are all people issues and can be solved by people.
Therefore, in terms of functionality, a cybersecurity professional is no longer an employee who provisions the firewalls or the analyst who reviews the IDS alerts and prescribes action. A cybersecurity professional is now anyone – anywhere – who touches anything that touches the internet. Corporate assets are handled by everyone who works for the company. Your corporate laptop, a BYOD phone or tablet, the access badge that was given on your first day, your choice of password to protect your domain account, and many other concepts make everyone a cybersecurity professional in one sense or another because we are now all responsible for protecting ourselves and our employers.
At the end of that speaking engagement in which I presented the cybercrime story, I asked the attendees the same question again:
“How many of you consider yourself cybersecurity professionals?”
For more insights into cybersecurity, Global Knowledge recommends the following courses:
Certified Network Defender (CND)